Apply OPA Gatekeeper Policies
To control, audit, and debug your production deployments, you can use policies for the Gatekeeper Open Policy Agent (OPA). Gatekeeper contains CustomResourceDefinitions for creating and extending deployment constraints through the constraint templates.
Control Your Deployments with Gatekeeper Policies
The Kubernetes Operator offers a list of Gatekeeper policies that you can customize and apply to your deployments.
Each Gatekeeper policy consists of:
<policy_name>.yaml
fileconstraints.yaml
file that is based on the constraint template
You can use binary and configurable Gatekeeper policies:
Binary policies allow or prevent specific configurations, such as preventing deployments that don't use TLS, or deploying only specific MongoDB or Ops Manager versions.
Configurable policies allow you to specify configurations, such as the total number of replica sets that will be deployed for a specific MongoDB or Ops Manager custom resource.
To use and apply Gatekeeper sample policies with the Kubernetes Operator:
Install the OPA Gatekeeper on your Kubernetes cluster.
Review the list of available constraint templates and constraints:
kubectl get constrainttemplates kubectl get constraints Navigate to the policy directory, select a policy from the list and apply it and its constraints file:
cd <policy_directory> kubectl apply -f <policy_name>.yaml kubectl apply -f constraints.yaml Review the Gatekeeper policies that are currently applied:
kubectl get constrainttemplates kubectl get contstraints
List of Sample OPA Gatekeeper Policies
The Kubernetes Operator offers the following sample policies in this OPA examples GitHub directory:
Location | Policy Description |
---|---|
Blocks all MongoDB and Ops Manager resources. This allows you to use the log output to craft your own policies. To learn more, see Gatekeeper Debugging. | |
Allows deploying only replica sets for MongoDB resources and prevents deploying sharded clusters. | |
Allows deploying only specific MongoDB versions. | |
Allows deploying only specific Ops Manager versions. | |
Allows using strict TLS mode for MongoDB deployments. | |
Allows deploying a specified number of Ops Manager replica set and Application Database members. | |
Allows installing Ops Manager in a non-interactive mode. |